This copy is for your personal non-commercial use only. To order presentation-ready copies of Toronto Star content for distribution to colleagues, clients or customers, or inquire about permissions/licensing, please go to: www.TorontoStarReprints.com

Motive for massive cyberattack may not have been money, experts say

Security experts worry the sudden explosion of malicious software may have been more sinister than a criminally minded shakedown of computer users.

By Raphael SatterThe Associated PressJan M. OlsenThe Associated Press

Thu., June 29, 2017

PARIS—The cyberattack that has locked up computers around the world while demanding a ransom may not be an extortion attempt after all, but an effort to create havoc in Ukraine, security experts say.

“There may be a more nefarious motive behind the attack,” Gavin O’Gorman, an investigator with U.S. antivirus firm Symantec, said in a blog post. “Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations.”

The rogue program landed its heaviest blows on the Eastern European nation, where the government, dozens of banks and other institutions were sent reeling. It disabled computers at government agencies, energy companies, cash machines, supermarkets, railways and communications providers. Many of these organizations had recovered by Thursday.

The program, known by a variety of names, including NotPetya, initially appeared to be ransomware, a type of malicious software that encrypts its victims’ data and holds it hostage until a payment is made, usually in bitcoins, the hard-to-trace digital currency often used by criminals.

But O’Gorman and several other researchers said the culprits would have been hard-pressed to make money off the scheme. They appear to have relied on a single email address that was blocked almost immediately and a single bitcoin account that has collected the relatively puny sum of $10,000.

Article Continued Below

Read more:

A new, highly virulent strain of malicious ransom software crippled computers globally and appears to have been sown in Ukraine, where it badly hobbled much of the government and private sector on the eve of a holiday celebrating a post-Soviet constitution. Security experts say the motive behind the attack may not have been money. (Vadim Ghirda / The Associated Press)

Others, such as Russian anti-virus firm Kaspersky Lab, said clues in the code suggest the program’s authors would have been incapable of decrypting the data, further indicating the ransom demands may have been a smokescreen.

The timing was intriguing too: The attack came the same day as the assassination of a senior Ukrainian military intelligence officer and a day before a national holiday celebrating the new Ukrainian constitution signed after the breakup of the Soviet Union.

Tensions have been running high between Russia and Ukraine, with Moscow seizing Crimea in 2014 and pro-Russian separatists fighting government forces for control of eastern Ukraine.

Russia has long been suspected of engineering earlier cyberattacks against Ukraine, including the hack of its voting system ahead of 2014 national elections and an assault that knocked its power grid offline in 2015.

Ransomware or not, computer specialists worldwide were still wrestling with its consequences, with varying degrees of success.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hit hardest, said Thursday that most of its terminals are running again, though some are operating in a limited way or more slowly than usual.

Problems have been reported across the shippers’ global business, from Mobile, Alabama, to Mumbai in India. At Mumbia’s Jawaharlal Nehru Port, several hundred containers could be seen piled up at just two of the more than a dozen yards.

“The vessels are coming, the ships are coming, but they are not able to take the container because all the systems are down,” trading and clearing agent Rajeshree Verma said. “We are actually in a fix because of all this.”

Dozens of major corporations and government agencies have been disrupted, including FedEx subsidiary TNT and Ukraine’s banking system.

Even small businesses otherwise unaffected by the malware are beginning to feel the pain.

Steffan Mastek of Petersen & Soerensen, a Danish ship repair company, said he had been forced to re-order engine parts because TNT’s track-and-trace system for parcels was down.

The Toronto Star and thestar.com, each property of Toronto Star Newspapers Limited, One Yonge Street, 4th Floor, Toronto, ON, M5E 1E6. You can unsubscribe at any time. Please contact us or see our privacy policy for more information.

More from the Toronto Star & Partners

LOADING

Copyright owned or licensed by Toronto Star Newspapers Limited. All rights reserved. Republication or distribution of this content is expressly prohibited without the prior written consent of Toronto Star Newspapers Limited and/or its licensors. To order copies of Toronto Star articles, please go to: www.TorontoStarReprints.com